Enable support for Kerberos authentication

Updated: December 30, 2007

Applies To: Windows Server 2008 R2, Windows Server 2012

If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:

Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

Set the Service Principal Names (SPN) value for the AD RMS service account

Membership in the
AD RMS Enterprise Administrators
and the
Enterprise Admins
group in AD DS, or equivalent, is the minimum required to complete this procedure.

Set the IIS useAppPoolCredentials value to True

Open an elevated command prompt window. To open an elevated Command Prompt window, click
Start
, point to
All Programs
, click
Accessories
, right-click
Command Prompt
, and then click
Run as administrator
.

To perform the following procedure successfully, the AD RMS service account must be in the same forest as the AD RMS cluster. Also, if you change the AD RMS service account, you must delete the SPN registrations for the previous service account and then perform this procedure for the new service account.

Set the Service Principal Names (SPN) value for the AD RMS service account

Open an elevated command prompt window. To open an elevated Command Prompt window, click
Start
, point to
All Programs
, click
Accessories
, right-click
Command Prompt
, and then click
Run as administrator
.

Type
setspn -a HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount>
, where <ServerName> is the name of the server, <ServiceAccountDomain> is the name of the domain containing the AD RMS service account, and <ServiceAccount> is the name of the AD RMS service account.

Type
setspn -a HTTP/<ServerFQDN> <ServiceAccountDomain>\<ServiceAccount>
, where <ServerFQDN> is the fully qualified domain name (FQDN) of the server.

Type
setspn -a HTTP/<ClusterName> <ServiceAccountDomain>\<ServiceAccount>
, where <ClusterName> is the name of the AD RMS cluster.

Type
setspn -a HTTP/<ClusterFQDN> <ServiceAccountDomain>\<ServiceAccount>
, where <ClusterFQDN> is the fully qualified domain name (FQDN) of the cluster.

Note

If the cluster is using Secure Sockets Layer (SSL), repeat steps 2 through 5, substituting HTTPS for HTTP.